MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Vidar

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53
SHA3-384 hash:	55e28c049efe79d27d06b876bc69a3ff78f2ec1d5501d1f8e7e22889e44fa7b2bae558965193d12c0b6ffd40bc66c88a
SHA1 hash:	57bd209ea0ebe92a32bf216e9733bf83c3b7482d
MD5 hash:	529eda78954ac715c4de4f75dfde8e5b
humanhash:	south-king-pizza-blossom
File name:	file
Download:	download sample
Signature	Vidar Create hunting rule
File size:	289'280 bytes
First seen:	2025-11-05 13:31:10 UTC
Last seen:	2025-11-05 14:21:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	31e06ec6723bcc3b75c69a4521e4b8f5 (15 x Vidar)
ssdeep	6144:e87Q4hzwuHbYBbIcleEo2UQ+q6B/j7YDAU0qa5pNqSSr6JNhOOml:e88uU85bEsJMJ0h5nqS/5OL
TLSH	T1395423B99299A06BEB04C9B73DCE6F8DD4094E59233E9DC8982E0DFD37C36F66118110
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX vidar

Bitsight

url: http://178.16.54.200/vidar/random.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	289'280 bytes
File size (de-compressed) :	645'120 bytes
Format:	win64/pe
Unpacked file:	6d170528faf56b51cbc2c2a19d00d8e643300e735e7235353c664c99e9d30a27

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

http://178.16.55.189/testmine/random.exe

Verdict:

Malicious activity

Analysis date:

2025-11-04 23:08:41 UTC

Tags:

auto redline stealer amadey botnet rdp generic stealc vidar hijackloader loader autoit gcleaner rust ip-check lumma neoreklami adware evasion xor-url upx deerstealer darkvision rat

Link:

https://app.any.run/tasks/d08e8925-af04-49da-94cb-2f50fbfd7728

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35513/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690b51e05a5ed7864e232070

Tags:

emotet cobalt

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug crypto fingerprint hacktool obfuscated packed packed packed upx

Link:

https://www.filescan.io/uploads/690b51dd393eed3f38e48344/reports/a72f3efe-36f1-4a0f-9317-b3616520a7ad/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-04T19:05:00Z UTC

Last seen:

2025-11-04T20:52:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0374e4ac-ea0c-4ee1-a63a-cb10bc520811

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/529eda78954ac715c4de4f75dfde8e5b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53/

Verdict:

Malicious

Threat:

Family.STEALC

Link:

https://tip.neiki.dev/file/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-11-04 21:58:49 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mfzc5oh2aw6asktzisqdaeb235u5egkkzeoyyahwcmilislqhrjq._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:cc5cd0c8d3f774fd73bc0c723d24b01b campaign:/k0ddr stealer upx

Link:

https://tria.ge/reports/251105-qsx23awnby/

Behaviour

UPX packed file

Detects Vidar Stealer

Vidar

Vidar family

Malware Config

C2 Extraction:

https://telegram.me/k0ddr
https://steamcommunity.com/profiles/76561198772659493

Verdict:

Malicious

Tags:

Stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/2ff1e683-3c50-4d46-907e-298df692c51a

Unpacked files

SH256 hash:

61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53

MD5 hash:

529eda78954ac715c4de4f75dfde8e5b

SHA1 hash:

57bd209ea0ebe92a32bf216e9733bf83c3b7482d

Link:

https://www.unpac.me/results/55d5703b-3f39-45ed-9a6f-a560c27a8f54/

SH256 hash:

6d170528faf56b51cbc2c2a19d00d8e643300e735e7235353c664c99e9d30a27

MD5 hash:

053c3faa7aa51df2f67720b06ca274c6

SHA1 hash:

bec2925bc9ef303530c08a4605038c14a1cc74fa

Detections:

SUSP_XORed_URL_In_EXE

Link:

https://www.unpac.me/results/55d5703b-3f39-45ed-9a6f-a560c27a8f54/

Parent samples :

61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53
6d170528faf56b51cbc2c2a19d00d8e643300e735e7235353c664c99e9d30a27

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/61722eb8fa05/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61722eb8fa05bc092a7944a030103adf69d2194ac91d8c00f61310b449703c53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)